Tuesday, March 9, 2010

Scenario: You have a limited amount of time and need to extract information from 45+ cell phones.

Solution: Cellebrite UFED.

First, let me say that I have no relationship or financial interest in Cellebrite, I am merely a user of various cell phone and forensic tools. But after using many of the different tools, Paraben, BitPim, XRY, XACT, Neutrino, DataPilot, Wolf, CellDek, I cannot imaging doing multiple cell phones in a rapid fashion without the CellBrite UFED. This does not mean I would not use other tools in other scenarios, but in this scenario, I needed to do it quickly and with minimal external power. Therefore the Cellebrite UFED worked perfect for this scenario.

All of the above mentioned tools are good, and some of them even extract more information or work with phones that Cellebrite does not work with, but 9 times out of 10, the Cellebrite not only handles the phone, but I can do it in a fairly rapid manner. This review is specifically about the Cellebrite UFED ruggedized model.

Cost:
The cost of the ruggedized version is a few thousand dollars more than the standard UFED.

Device:
Internally, the device is identical to the standard UFED, but externally it has a rubberized protector around the device. It makes the device a little bigger and heavier, but still fairly small and usable. The device has all the same external connectors and ports as the standard UFED. The power supply provided with the UFED device is a a 100-240v power supply designed to work in various countries and power sources.

Software updates:
The Cellebrite company has done an excellent job is keeping the UFED and UME devices as capable as possible by releasing frequent updates. Getting the updates is very simple, you can download the base images from their website. The application update of the UFED device requires a free account be created on their http://my.cellebrite.com website. All that is needed is the device serial number and device ID, both of which can be obtained from the device's display.

Extras:
The Ruggedized UFED comes with an integrated battery pack. This allows the UFED to be used in the field with no external power. The battery lasts a fairly long time. In the scenario above, it took a few hours to process all the phones and SIM cards, all of which were done on a single battery pack. An extra battery pack is provided and can be quickly switched out to provide extended operational time.

The Ruggedized UFED also comes with a battery pack for use with phones. The pack is a rechargeable battery pack that comes with numerous phone tips in order to fit a wide range of phones. This allows a user to not only power the UFED device (attached battery pack), but also power the phone that needs to be examined when the phone is dead.

Cables:
All the UFED devices come with a large collection of cables that fit most of the most common phones types. They are all clearly marked with a unique cable number.

Examination Process:
There are essentially three areas of information to collect when doing a cell phone examination:

1. Phone
2. SIM
3. Media Card (if applicable)

Collecting information from the phone itself requires knowing the phone model and that the Cellebrite device supports that specific model and firmware. I have encountered several phones that are "knock-offs" of the original, specifically Nokia & Apple models, that have normal markings and model numbers, but are Chinese made counterfeits and do not have the same internal firmware as the originals, therefore the UFED device (or any other forensic device) does not work.

In cases where the phone model can be determined or known, the UFED device will tell you exactly what cable number to use and then extract whatever information it can from the phone. Depending on the phone model, the UFED device can typically get at the minimum, contacts, SMS messages & call logs (incoming, outgoing & missed). In other cases, it can typically extract multimedia (videos, photos, ringtones) files from phones that support multimedia.

In a limited number of models, if a SIM card is in the phone, The UFED will also extract information from the SIM card at the same time. In most models though, you need to remove the SIM card and process it separately in the SIM card reader at the bottom of the UFED device. This also depends on whether you want the phone to be able to connect to the network while you process it or if you have a Faraday bag or jammer. If not, then you will want to remove the SIM card and process it separately to avoid the phone from connecting to the cell network.

On some phones, the UFED device will need to install a client application. The UFED device will "push" the application to the phone when it is connected and then you will need to manipulate the phone (install) to get the client installed. Don't forget to delete the client after extraction, as the UFED does nt do this automatically.

Lastly, you may want to process the media card separately. The UFED device can pull multimedia files from the media card of most phones, but if the media card contains other non-multimedia filetypes (doc, exe, zips, etc.), then you will not see those files. I typically image the entire media card separately using a write-blocking device/software and imaging software on a laptop.

PIN locked SIM cards are still not able to be processed unless you can unlock it prior to processing.

One of the best features of the Cellebrite device is the ability to write the extracted data to a USB device (FAT). This allows quick collection and then the USB device can be given to another investigator for review or processing.

Photos of the UFED Ruggedized Model:

The front view

SIM reader at the bottom of the device

SOURCE (left) side of the device

TARGET (right) side of the device

Top view of the device, for connection to the Cellebrite manager program and network

Right side view of battery pack, switch if for charging or battery use, the LEDS are for battery level display

As a Certified User of Cellebrite it is also worthwhile mentioning its also capable of performing phystical and file system acquisition of data which is then parsed using software installed on a PC. This costs more but is useful as it allows for immediate reading of security code, previous ICCID and a bunch of other used artifacts. With the portable battery pack, you can perform on the fly examinations either in the lab or whilst standing on the side of road with an offender. Like any tool, it has its limitations and minor issues, but as Lance stated its good for handling bulk exhibits and produces a machine generated HTML based plain text non logo branded report ready for immediate introduction into evidentiary reports.

As a daily user of the UFED PE (physical extraction) I can say you that you can also perform manual data carving inside the physical dump which is from my point of view a very powerful feature of the UFED. The only drawback is that the mobile phone makers do not use the same encoding and this makes the analysis harder ... by the way the UFED does very quickly the data acquisition and allow you to preview the data or launch analysis process very soon in the investigation ... I can take in example one of my last cases, I found 80% of the data with a "deleted" status -> these data would not have been found whitout the physical analysis. I never used XACT the physical version of XRY so I will not compare it to UFED but I can say that UFED PE does the work greatly so I do not need XACT.

As a user of both XACT and uFED PE I found that quite often the application for each will parse the data differently and you end up with two differnt results, hence you then have to bit the bullet and start doing manual conversations.

UFED supports more phones in every technology (CDMA, GSM, SAT Phones, GPS, etc) than any competitor. Updates are monthly to support new phones. Training on the UFED is quick and easy for our tactical units. UFED supports more phones that the bad guys are using in Iraq and Afghanistan. Would not trade our's for a competitors.

My experience with Cellebrite is that is would be hit or miss on actually extracting data on those 45 phones. They say they support alot of phones, even the device says it does. Then you get nothing. Physical Pro was very disappointing. $8000 is huge waste of $$$$.

Contact

All the EnScripts on this website are provided as-is, free of charge, created by me on my own personal free time.

If you have found any of these EnScripts useful and feel inclined to give a donation, please feel free to use the link above. You can donate whatever amount you think is appropriate and a PayPal account is not required.

Any and all dontations are greatly appreciated and are used to offset the cost of maintaining the server to store the EnScripts & resources online.